Recognising Malicious and Anti-Social Email

Chain letters & hoax virus warnings

A number of electronic 'chain letters' are in circulation which invite you to forward emails to new recipients. If you forward such mail you are in contravention of Information Services Regulations.

Typically these hoaxes may promise a money reward or bad luck as incentives. They may purport to come from children who are seriously ill or warn of new and deadly computer viruses. In almost every case these are hoaxes and should never be forwarded.

Inappropriate or offensive email

If mail has clearly been misdirected but would have been acceptable to its intended recipient, then a polite reply to the sender may well elicit an immediate apology.

If the mail comes from outside Cardiff, a complaint (with a copy of the offending message and full email headers should be sent to two email addresses: Postmaster@Cardiff.ac.uk and Abuse@. This will usually result in the site terminating the user's account. Keep the original message in your mail folder while investigations take place.

Senders of offensive mail may use a free email service in order to hide their real identity. A complaint to Abuse@ will probably result in the sender's account being terminated, but may not prevent them reregistering under a different alias.

Headers include some information about the original source of the mail and Postmaster@Cardiff.ac.uk may be able to track it back to the real sender, particularly if the sender is based in Cardiff or the mail is part of a pattern of incidents.

Spam

Spam, unsolicited email, is an increasing problem on the Internet. Current anti-spam measures filter out many email viruses. Known spam sites are black-listed. Suspected spam has text added to the Subject: line. No email content is intercepted or modified.

The filtering software, SpamAssassin, was chosen because it is widely used and integrates easily with the EXIM mail software on the email servers. It has an extensive rule set which can be easily modified.

Improving Spam filters

Please forward any email you think should or should not have been filtered to Postmaster@Cardiff.ac.uk with the full headers attached and we will modify the rule set where necessary.

Mail address spoofing

Emails containing spam (unsolicited email content) or viruses are often sent from a spoofed address. They appear to come from the email address of an innocent third party whose identity is used to conceal the true origin of the email and avoid email software filters. Many viruses may raid a victim's addressbook for addresses to send to and to spoof. The use of an innocent address may increase the chance of the spam (or worse, virus) being accepted.

In the case of a virus, the infected computer may be difficult to trace. The email appears to come from a machine that is not infected. When the virus is detected by the recipient, the mail system may report the virus back to the spoofed address. Unfortunately in many cases this automatic bounce message often includes the virus, which infects the computer when the unexpected report is opened. The innocent victim may also get so many delivery failure messages that their mailbox becomes overloaded.

More seriously, an address you trust may be spoofed in order to fool you into providing personal or confidential information, perhaps via a link to a faked web site. Before sending such sensitive information, please check that the sender is who they purport to be. Consider mailing the trusted address (using your addressbook and not just replying to the address in the spoofed mail) to check whether they have indeed requested the information from you.

Mail address spoofing is easy to do, difficult to trace and impossible to prevent. Make sure that you keep your anti-virus software up to date. Extra virus scanning software has been installed on the campus central mail hubs so there is now a two-tier defence against viruses.

How to recognise spoofing

To check whether an address has been spoofed, you will need to see the full headers of the message. The following is an example of spoofed mail addressing:

Without full headers

From: <Someone@cardiff.ac.uk> To: Recipient@cardiff.ac.uk> Subject: Do you have allergies?

So this message appears to have been sent from 'Someone' in Cardiff University to 'Recipient' at Cardiff University.

From: <Someone@cardiff.ac.uk> To: Recipient@cardiff.ac.uk> Subject: Do you have allergies?

You can see that the message was received from 'some.domain.com'. The 'some.domain.com' does not end in cardiff.ac.uk and is obviously not a Cardiff University address. The sender's address has been spoofed.